March 6, 2019

Debunking Common Misconceptions About Auditing Digital Assets

When talking
with audit professionals, we have noticed a few misconceptions about auditing
digital assets that are worth discussing. The most prominent misconceptions
relate to proving ownership and confirming transaction details of digital
assets (typically cryptocurrencies) as part of a financial statement audit. We
have heard the following assumptions that may seem reasonable at the outset,
but are not prudent when diving deeper:

“The blockchain itself is basically an audit, therefore all transactions are inherently correct and can be used as evidence to confirm financial statement account activity.”

“Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party.”

“Confirming ownership is unnecessary; private keys can be duplicated and hypothetically distributed to multiple parties who can claim ownership of the same funds on their own financial statements. Therefore, confirming ownership of the private keys doesn’t consider the potential for nefarious activities and should not be relied upon for audit evidence.”

“Confirming ownership is impossible. If I have access to the client’s private keys, I, along with a bad actor, could steal the keys and related funds. This is too risky a procedure to perform during an audit.”

We have
heard these reasonings from small CPA firms as well as Big 4 auditors. While no
authoritative guidance has been declared by the PCAOB, we would invite auditors
to think critically in how to best test digital assets.

Diving deeper
into each of these assumptions, here are considerations an auditor may think
about when applying this logic to an audit.

The blockchain itself is basically an audit, therefore all transactions are inherently correct and can be used as evidence to confirm financial statement account activity.

Blockchains,
for the most part, contain complete and accurate data. An auditor will have to
consider the underlying blockchains, how much hash power secures those
blockchains, and what the auditor risk tolerance is.

Blockchain
data, however, is only half of the equation. Companies holding crypto assets
typically keep records independently on their own accounting software (i.e.
Quickbooks, Xero, Intacct). Unless the company utilizes an industry-specific
accounting system (such as Ledgible, SoftLedger, Libra or Balanc3) that derives
wallet balances and transaction history directly from the blockchain, the
auditor will have to reconcile internally kept records with the external
blockchain data.

While not
terribly difficult, the auditor must understand that reconciling internally
held records to the blockchain data is vital in verifying the company accounted
for all transactions noted on the public blockchains involving company wallets.
If auditors do not perform this procedure, there is a risk that inaccurate transactions
or an incomplete set of transactions were recorded on the company books.

Confirming ownership is unnecessary; all the activity is on the blockchain and readily viewable by any party.

While it is
true that all wallet and transaction activity is viewable on the blockchain,
this does not mean confirming ownership of the wallets related to the company
financial statements is a moot point. A wallet and transaction on the company’s
records may not actually be owned by them. If no ownership procedures are
performed, a company could simply claim a specific wallet address is theirs,
point to the blockchain to show the balance, and include unowned assets on
their financial statements.

Confirming ownership is unnecessary; private keys can be duplicated and hypothetically distributed to multiple parties who can claim ownership of the same funds on their own financial statements. Therefore, confirming ownership of the private keys doesn’t consider the potential for nefarious activities and should not be relied upon for audit evidence.

The ability
to duplicate private keys is by design in blockchain protocols. Duplicating
keys is a crucial item when creating the appropriate safeguards to protect your
funds. As evidenced by many cases before,
maintaining your keys in a centralized environment creates a concentrated point
of failure.

However,
just because private keys can be duplicated, that does not make them
insufficient as audit evidence. In fact, private key verification is most
likely the best form of audit evidence available. While it is true that two
companies could be sharing a private key, or that a private key could have been
compromised and a hacker is waiting patiently to steal funds, the auditor has a
few methods to mitigate risks when confirming ownership of wallets during an
audit.

To address fraud considerations, an auditor receives a management representation letter from the pertinent members of the company attesting (among other items):

Management has no knowledge of fraud within the company.

Management is responsible for systems designed to detect and prevent fraud.

Management
representation letters do not catch all fraud, but they do act as a deterrent,
placing sole responsibility for the data presented on the members of management,
including fraud and related party considerations. In addition to receiving the
management representation letter, the auditor exercises professional skepticism
at all times during the audit.

(Management
also attests to other items that are relevant for Item C regarding internal
controls:

The management team acknowledges its responsibility for the system of financial controls.

Management is responsible for the proper presentation of the financial statements in accordance with the applicable accounting framework.

All financial records have been made available to the auditors.

Management has disclosed all liens and other encumbrances on its assets.

All contingent liabilities have been disclosed.

All related parties’ transactions have been disclosed.)

If the private keys truly belong to another party, but management is representing ownership on their own financial records, the auditor can perform procedures that may uncover inconsistencies between company books and blockchain data. When reconciling company books to blockchain data, the auditor should inquire about the nature of transactions, along with ensuring all transactions reconcile exactly to the company’s internal records. If the wallets are truly owned by a third party, the company books may not reconcile to the data on the blockchain (as the true owner performed their own transactions), and management may not be able to describe relevant details of a transaction (such as external party, reason for tx, etc.)

As part of the audit, management should review the controls in place related to key creation, management, and disposal. If management has documented, designed and well-functioning controls, or follows a standard, such as the CryptoCurrency Security Standard, the auditor can gain comfort that the company’s keys have been managed securely and not disseminated to third parties or bad actors.

Confirming ownership is impossible. If I have access to the client’s private keys, I, along with a potential bad actor, could steal the keys and related funds. This is too risky a procedure to perform during an audit.

Exposing
private keys at any point is risky. However, the auditor and management can
agree to a procedure that mitigates these risks and allows proper verification
of ownership. This can include viewing balances on wallet GUIs or obtaining
digital signatures. If performed in secure environments, these procedures can
be both effective and secure.

As digital assets become mainstays on company
financial statements, we invite auditors to think critically about the current
necessities and auditing problems at hand. Digital assets will only become more
complex with time (non-fungible tokens, tokenized assets, stablecoins), and it
is vital that the profession moves quickly in understanding and accounting for
this change in technology.

Co Authors :

Jeremy is a manager in Armanino’s Blockchain practice, with more than 4 years of experience performing compliance, internal and blockchain-technical audits. He has experience leading and participating in cryptocurrency/blockchain engagements for exchanges, crypto-startups, and stablecoins. Jeremy authors Armanino’s blockchain audit memos, and he has helped develop proprietary procedures to test digital assets for reliance during an audit.

A Certified Blockchain Professional and member of the Cryptocurrency Certification Consortium, Jeremy is also a Certified Public Accountant (CPA) and Certified Management Accoutant (CMA). He holds a Bachelor of Business Administration, Accounting from California State University, Chico.

Andries leads the Blockchain practice and brings a passion for growth to his clients. He works with a variety of crypto and blockchain projects and exchanges, helping them navigate accounting, audit, tax and risk best practices as they grow. He also helps non-crypto industry clients transform their business through blockchain technology enablement.

Prior to joining Armanino, Andries was CEO at The Brenner Group, a boutique Silicon Valley financial services firm. Before that, he was a partner at Moore Stephens Belgium. He started his career at PricewaterhouseCoopers. He grew up in Belgium, and lived and worked in New York and Shanghai before moving to California.

Want to Work Here?

Stay in Touch

Armanino is one of the top 25 largest independent accounting and business consulting firm in the United States. Armanino provides an integrated set of audit, tax, consulting, business management and technology solutions to companies in the U.S. and globally. Armanino extends its global services to more than 100 countries through its membership in Moore Global Network — one of the world's major accounting and consulting membership organizations.

In addition to its core consulting and accounting practices, Armanino operates its division—AMF Media Group (amfmediagroup.com), media and communications services and its affiliate and Intersect Capital (intersectcapitalllc.com), an independent financial planning, wealth and lifestyle management firm.